different user perms for different clients

Pat Cain moftsd at gmail.com
Thu May 7 02:52:44 CEST 2015 

FreeRADIUS Version 3.0.7

Hello,

I'm migrating to freeradius from Radiator, and the configuration files are
very, very different, so I'm looking for some conceptual guidance, or some
working examples.

Essentially, I'm just not getting it when it comes to configuring a
different list of users for each freeradius client.  Not sure if I'm
supposed to use huntgroups or features within client definitions.

The background:

We use Radius to authenticate access to Cisco switches (and some APC UPS
devices).  Our switches are mostly managed solely by a group of admins
(users useraa, userbb, and usercc), and a user userdd with read-only
access.

Our Cisco switches are currently all statically listed as follows (in
clients.conf):

client coswe008 {
    ipv4addr = 10.79.161.102
    secret = leauth
    nas_type = cisco
}

I have a file with our info configured in /etc/raddb/mods-enabled/passwd:

passwd fss_passwd {
    filename = /usr/local/etc/raddb/fss-users.passwd
    delimiter = |
    format =
"*User-Name:Crypt-Password:=Service-Type:=Cisco-AVPair:=APC-Service-Type"
    hash_size = 100
    ignore_nislike = yes
    allow_multiple_keys = no
}

and the contents of fss-users.passwd:

# File Format is (extra spaces around the '|' for ease of reading)
#  User-Name | Crypt-Password | Service-Type | Cisco-AVPair |
APC-Service-Type
useraa|OwdaaacZLaaaE|NAS-Prompt-User|shell:priv-lvl=15|Admin
userbb|OwdbbbcZLbbbE|NAS-Prompt-User|shell:priv-lvl=15|Admin
usercc|OwdccccZLcccE|NAS-Prompt-User|shell:priv-lvl=15|Admin
userdd|OwddddcZLdddE|NAS-Prompt-User|shell:priv-lvl=1|

and this works fine.

What I'd like to be able to change, though, is for userdd to have admin
access to two of our switches, and read access to all the rest.

The essence of this question is how do I customize the user list for each
client? Is it a huntgroup, or a conditional include in the clients.conf
file?


Thanks for what you can offer on this topic,
pjc

PS - is there an archive for this list that can be searched?

More information about the Freeradius-Users mailing list